Use parameterized queries. Don't just concatenate strings together to make your SQL statements.

Here is what I am currently doing, does this count as a parameterized query?

[source lang="php"]BlahRpt($orderby,$startdate,$enddate){$sanorderby =  $this->SanitizeForSQL($orderby);$sanstartdate =  $this->SanitizeForSQL($startdate);$sanenddate =  $this->SanitizeForSQL($enddate);$qry = "Select * from $this->tablename WHERE `RequiredDate` >= '$sanstartdate' AND `RequiredDate` <= '$sanenddate' ORDER BY $sanorderby ASC";}[/source]


[source lang="php"]function SanitizeForSQL($str)     {         if( function_exists( "mysql_real_escape_string" ) )         {               $ret_str = mysql_real_escape_string( $str );         }         else         {             $ret_str = addslashes( $str );         }         return $ret_str;     }[/source]

Use parameterized queries. Don't just concatenate strings together to make your SQL statements.

Here is what I am currently doing, does this count as a parameterized query?

[source lang="php"]BlahRpt($orderby,$startdate,$enddate){$sanorderby =  $this->SanitizeForSQL($orderby); $sanstartdate =  $this->SanitizeForSQL($startdate);$sanenddate =  $this->SanitizeForSQL($enddate);$qry = "Select * from $this->tablename WHERE `RequiredDate` >= '$sanstartdate' AND `RequiredDate` <= '$sanenddate' ORDER BY $sanorderby ASC";}[/source]